Difference between revisions of "BackupBuddy Remote Destinations: Amazon S3"

From iThemes Codex
Jump to: navigation, search
(Simple Method (inline user policy))
 
(24 intermediate revisions by 2 users not shown)
Line 1: Line 1:
Once on the [[BackupBuddy_Remote_Destinations:_Introduction|Remote Destinations]] page, click the '''+Add New''' button to add your Amazon S3 destination.
+
Amazon Simple Storage Service (Amazon S3) is a well known cloud storage provider. This destination is known to be reliable and works well with BackupBuddy. For more information about Amazon S3, visit http://aws.amazon.com/s3/.
  
<br />
 
 
[[File:AddS3Destination.png|AddS3Destination.png|link=]]
 
 
<br />
 
 
In the settings that open, you'll first give your new destination a name. 
 
 
Then you'll need to enter your '''AWS access keys'''. 
 
  
You'll then select the '''Bucket''' you'd like to send your backup to. If you haven't created the Bucket yet, adding the Bucket name will create it for you. The name of your Bucket must be globally unique among all Amazon S3 users.  You also have the option here to add a '''Directory'''.  The directory is not a required option.
+
==Simple Method (inline user policy)==
 +
This is the easiest method for granting permission to access an S3 bucket to BackupBuddy.
 +
<ol>
 +
<li>Log in to the Amazon Web Console at http://console.aws.amazon.com</li>
 +
<li>From the top menu select "Services" then click "IAM".</li>
 +
<li>From the left menu select "Users" or go to https://console.aws.amazon.com/iam/home#users</li>
 +
<li>Click the "Create New Users" button.</li>
 +
<li>Enter a username you wish to create to give access to your bucket. For this example I am entering the username "backupbuddy_test_user".</li>
 +
<li>Click "Show User Security Credentials" to display them.</li>
 +
<li>This is the '''Access Key''' and '''Secret Key''' you will enter into BackupBuddy when creating the Amazon S3 Remote Destination. Enter them now into BackupBuddy, copy them, or download them for entering later. If you lose these you cannot get them later & will have to generate new keys.</li>
 +
<li>Click "Close" twice to move on.</li>
 +
<li>Click the username you just created to open its details.</li>
 +
<li>Select the "Permissions" tab.</li>
 +
<li>Under Inline Policies (click to expand), you will see "There are no inline policies to show. To create one, click here".</li>
 +
<li>Click where it says "click here".</li>
 +
<li>Choose "Policy Generator" and click "Select".
 +
<ul>
 +
<li>Effect: Allow</li>
 +
<li>AWS Service: Amazon S3</li>
 +
<li>Actions: All Actions</li>
 +
<li>Amazon Resource Name (ARN): arn:aws:s3:::YOUR_BUCKET_NAME_HERE/*</li>
 +
</ul>
 +
</li>
 +
<li>Return to the Users page Permissions tab</li>
 +
<li>Next to the new Policy select "Edit policy"</li>
 +
<li>Under "Resource", copy the ARN line and paste to the next line below it</li>
 +
<li>From the new pasted line remove the /* from the end (should have two identical lines except one as /* at the end and one does not</li>
 +
<li>Add a comma (,) to the end of the first ARN line you copied</li>
 +
<li>See example policy below to see how this should look</li>
 +
<li>Click "Apply policy" to save the changes</li>
 +
</ol>
  
Next you'll set your '''Archive limit'''.  This allows you to limit the number of backups stored in this location. 
 
  
This is also where you'd enable or disable the '''Encrypt connection'''.  When enabled, all transfers will be encrypted with SSL encryption.
+
'''Example Policy:'''
 +
<pre>
 +
{
 +
    "Version": "2012-10-17",
 +
    "Statement": [
 +
        {
 +
            "Sid": "Stmt1459964267000",
 +
            "Effect": "Allow",
 +
            "Action": [
 +
                "s3:*"
 +
            ],
 +
            "Resource": [
 +
                "arn:aws:s3:::YOUR_BUCKET_NAME_HERE/*",
 +
                "arn:aws:s3:::YOUR_BUCKET_NAME_HERE"
 +
            ]
 +
        }
 +
    ]
 +
}
 +
</pre>
  
<br />
+
==Advanced Method (bucket policy)==
 +
Here we will walk you through creating IAM Security Credentials and a Security Policy and then attach said Security Policy to your bucket. You will also obtain your security and access keys during this process.
 +
<ol>
 +
<li>Log in to the Amazon Web Console at http://console.aws.amazon.com</li>
 +
<li>From the top menu select "Services" then click "IAM".</li>
 +
<li>From the left menu select "Users" or go to https://console.aws.amazon.com/iam/home#users</li>
 +
<li>Click the "Create New Users" button.</li>
 +
<li>Enter a username you wish to create to give access to your bucket. For this example I am entering the username "backupbuddy_test_user".</li>
 +
<li>Click "Show User Security Credentials" to display them.</li>
 +
<li>This is the '''Access Key''' and '''Secret Key''' you will enter into BackupBuddy when creating the Amazon S3 Remote Destination. Enter them now into BackupBuddy, copy them, or download them for entering later. If you lose these you cannot get them later & will have to generate new keys.</li>
 +
<li>Click "Close" twice to move on.</li>
 +
<li>Click the username you just created to open its details.</li>
 +
<li>Copy the following Security Policy into your favorite text editor or note taking app/site such as Notepad, TextEdit, Typity, Sublime Text 2, etc:
 +
<pre> {
 +
"Version": "2012-10-17",
 +
"Statement": [
 +
{
 +
"Effect": "Allow",
 +
"Principal": {
 +
"AWS": [
 +
"YOUR_USER_ARN_HERE"
 +
]
 +
},
 +
"Action": "s3:*",
 +
"Resource": [
 +
"arn:aws:s3:::YOUR_BUCKET_NAME_HERE",
 +
"arn:aws:s3:::YOUR_BUCKET_NAME_HERE/*"
 +
]
 +
}
 +
]
 +
}
 +
</pre>
 +
</li>
 +
<li>Copy the text to the right of "User ARN". It will look something like <code>arn:aws:iam::193065484832:user/backupbuddy_test_user</code></li>
 +
<li>Paste this "User Arn" replacing "YOUR_USER_ARN_HERE" in the Security Policy above that you pasted into your text editor.</li>
 +
<li>Replace "YOUR_BUCKET_NAME_HERE" with the name of your Amazon S3 Bucket you want to grant this user access to.</li>
 +
<li>From the top menu select "Services" then click "S3" or go to https://console.aws.amazon.com/s3/home</li>
 +
<li>Click the bucket you want to grant access to.</li>
 +
<li>At the upper right, make sure the "Properties" tab/button is selected so you see bucket details on the right.</li>
 +
<li>Expand "Permissions" and click "Edit bucket policy".</li>
 +
<li>Paste the Security Policy from your text editor (that big chunk of text you put your user ARN and bucket name in from above) in this box.</li>
 +
<li>Click "Save".</li>
 +
<li>You can now test this S3 destination in BackupBuddy.</li>
 +
</ol>
  
[[File:AmazonS3Settings.png|AmazonS3Settings.png|link=]]
+
==Security Tips==
 +
* You can grant multiple users access to the bucket by adding additional User ARNs into the policy, separated by commas.  This lets you easily delete users or remove their access in the future.
 +
* You can modify Action permissions to limit user access. For instance to block them from deleting files to make sure backups don't get accidentally deleted or even download backups for ultimate security.  For instance the following would allow uploading backups but prevent users with access to your BackupBuddy install from downloading your backups or deleting them.  For a full list of actions see http://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html
 +
<pre>
 +
"Action": [
 +
        "s3:PutObject",
 +
        "s3:ListBucket"
 +
      ]
 +
</pre>
  
<br />
 
 
Once you've entered all of your settings, you'll want to test your settings before adding the destination. 
 
 
Your new location will now show on the Remote Destinations page in BackupBuddy.  If you need to change your settings, click the gear symbol to the right of the destination.
 
 
<br />
 
 
[[File:S3Existing.png|S3Existing.png|link=]]
 
 
<br />
 
  
 
=See also=
 
=See also=
Line 45: Line 123:
  
 
<br />
 
<br />
[[:BackupBuddy_Test|← Back to BackupBuddy Codex Home]]
+
[[:BackupBuddy|← Back to BackupBuddy Codex Home]]

Latest revision as of 18:30, 6 April 2016

Amazon Simple Storage Service (Amazon S3) is a well known cloud storage provider. This destination is known to be reliable and works well with BackupBuddy. For more information about Amazon S3, visit http://aws.amazon.com/s3/.


Simple Method (inline user policy)

This is the easiest method for granting permission to access an S3 bucket to BackupBuddy.

  1. Log in to the Amazon Web Console at http://console.aws.amazon.com
  2. From the top menu select "Services" then click "IAM".
  3. From the left menu select "Users" or go to https://console.aws.amazon.com/iam/home#users
  4. Click the "Create New Users" button.
  5. Enter a username you wish to create to give access to your bucket. For this example I am entering the username "backupbuddy_test_user".
  6. Click "Show User Security Credentials" to display them.
  7. This is the Access Key and Secret Key you will enter into BackupBuddy when creating the Amazon S3 Remote Destination. Enter them now into BackupBuddy, copy them, or download them for entering later. If you lose these you cannot get them later & will have to generate new keys.
  8. Click "Close" twice to move on.
  9. Click the username you just created to open its details.
  10. Select the "Permissions" tab.
  11. Under Inline Policies (click to expand), you will see "There are no inline policies to show. To create one, click here".
  12. Click where it says "click here".
  13. Choose "Policy Generator" and click "Select".
    • Effect: Allow
    • AWS Service: Amazon S3
    • Actions: All Actions
    • Amazon Resource Name (ARN): arn:aws:s3:::YOUR_BUCKET_NAME_HERE/*
  14. Return to the Users page Permissions tab
  15. Next to the new Policy select "Edit policy"
  16. Under "Resource", copy the ARN line and paste to the next line below it
  17. From the new pasted line remove the /* from the end (should have two identical lines except one as /* at the end and one does not
  18. Add a comma (,) to the end of the first ARN line you copied
  19. See example policy below to see how this should look
  20. Click "Apply policy" to save the changes


Example Policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1459964267000",
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::YOUR_BUCKET_NAME_HERE/*",
                "arn:aws:s3:::YOUR_BUCKET_NAME_HERE"
            ]
        }
    ]
}

Advanced Method (bucket policy)

Here we will walk you through creating IAM Security Credentials and a Security Policy and then attach said Security Policy to your bucket. You will also obtain your security and access keys during this process.

  1. Log in to the Amazon Web Console at http://console.aws.amazon.com
  2. From the top menu select "Services" then click "IAM".
  3. From the left menu select "Users" or go to https://console.aws.amazon.com/iam/home#users
  4. Click the "Create New Users" button.
  5. Enter a username you wish to create to give access to your bucket. For this example I am entering the username "backupbuddy_test_user".
  6. Click "Show User Security Credentials" to display them.
  7. This is the Access Key and Secret Key you will enter into BackupBuddy when creating the Amazon S3 Remote Destination. Enter them now into BackupBuddy, copy them, or download them for entering later. If you lose these you cannot get them later & will have to generate new keys.
  8. Click "Close" twice to move on.
  9. Click the username you just created to open its details.
  10. Copy the following Security Policy into your favorite text editor or note taking app/site such as Notepad, TextEdit, Typity, Sublime Text 2, etc:
     {
    	"Version": "2012-10-17",
    	"Statement": [
    		{
    			"Effect": "Allow",
    			"Principal": {
    				"AWS": [
    					"YOUR_USER_ARN_HERE"
    				]
    			},
    			"Action": "s3:*",
    			"Resource": [
    				"arn:aws:s3:::YOUR_BUCKET_NAME_HERE",
    				"arn:aws:s3:::YOUR_BUCKET_NAME_HERE/*"
    			]
    		}
    	]
    }
    
  11. Copy the text to the right of "User ARN". It will look something like arn:aws:iam::193065484832:user/backupbuddy_test_user
  12. Paste this "User Arn" replacing "YOUR_USER_ARN_HERE" in the Security Policy above that you pasted into your text editor.
  13. Replace "YOUR_BUCKET_NAME_HERE" with the name of your Amazon S3 Bucket you want to grant this user access to.
  14. From the top menu select "Services" then click "S3" or go to https://console.aws.amazon.com/s3/home
  15. Click the bucket you want to grant access to.
  16. At the upper right, make sure the "Properties" tab/button is selected so you see bucket details on the right.
  17. Expand "Permissions" and click "Edit bucket policy".
  18. Paste the Security Policy from your text editor (that big chunk of text you put your user ARN and bucket name in from above) in this box.
  19. Click "Save".
  20. You can now test this S3 destination in BackupBuddy.

Security Tips

  • You can grant multiple users access to the bucket by adding additional User ARNs into the policy, separated by commas. This lets you easily delete users or remove their access in the future.
  • You can modify Action permissions to limit user access. For instance to block them from deleting files to make sure backups don't get accidentally deleted or even download backups for ultimate security. For instance the following would allow uploading backups but prevent users with access to your BackupBuddy install from downloading your backups or deleting them. For a full list of actions see http://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html
"Action": [
        "s3:PutObject",
        "s3:ListBucket"
      ]


See also


← Back to BackupBuddy Codex Home